Posted
by
timothy
on Wednesday July 15, 2009 @02:30PM
from the related-stories-are-must-reads dept.

Meshach writes "An article in Ars Technica claims that 12% of internet users have actually responded to spam messages and tried to buy items. Although I find this hard to believe, it does explain why my spam folder is always full." Also in spam news, wjousts links to a Technology Review article about how spammers get your e-mail address, writing "E-mail addresses in comments posted to a website had a high probability of getting spammed, while of the 70 e-mail addresses submitted during registration at various websites, only 4 got spammed."

... I have an entire domain with a chatchall... that way i can post under [domainI'mRegistering]@[mydomain.com]. then i know exactly where the spam originated from. what was my most recent verified spammer? my bank X_X

One interesting thing I noticed, is that they didnt talk at all about is normal chain-emails. How many times do you receive an email from a friend with some sort of cute story that has been forwarded 10 times before it reaches you. You have to scroll down past 5 pages of email headers, which conveniently contain every email address of people who have been copied on that email. Eventually, one of those chain emails reaches a spammer, and they now have a couple hundred *validated* email addresses to spam to.

Thats why when I (on rare occasion) forward an email, I delete all the previous email headers, and BCC everyone on the list so that the people I send the email to don't get their email address added. Of course, my email address is still shown as the source, so if the people I send to don't follow the same behavior as me, then my address gets added to the forward list.

So true. I had to chew my father out for just that sort of activity. He loves sending out 'joke' e-mails every morning, and initially he was just sending with everyone's name in the TO field. He now understands how how easy it is to harvest addresses from such e-mails and uses BCC for everything.

I also found the bit in the article about harvesting e-mails by crawling a website intersting. I have to wonder why websites would allow anyone to crawl through their info to begin with. I would think adding the

Really? I honestly thought it would be much higher...just basing that off of some of my daily interactions with people. It's a good thing breathing is an involuntary action, cause there are a lot of people out there who'd forget to.

That's what I though too, 12% seems a bit low. I've observed a lot of users who really can't tell you which stuff in their inbox they actually signed up to recieve versus which are just spam. Half the stuff they sign up to receive looks as shady as spam anyway...
I just had a conversation this morning where I tried to teach a user to tell the difference between sales hype and legitimate information. He just couldn't get it, it was too much for him. He constantly forwards me things like "AMAZING NEW DISCOVERY...!!!", asking "what do you think of this, should I order it?".

It's a good thing breathing is an involuntary action, cause there are a lot of people out there who'd forget to.

You know, it was the weirdest thing. For about an hour after my general anesthesia wore off (surgery...) I actually had to remind myself to breathe - felt like if I didn't do it consciously, I wouldn't do it at all. And even worse -- once I got home, I had to remind myself not to reply to spam!

The entire premise of this article depends on the definition of "spam." One could mark a legitimate business' unsolicited email as spam, but that doesn't mean that purchasing a product because of the material in one of those emails is newsworthy.

Do legitimate businesses send unsolicited email? I have never seen one.

I have, very very often. It seems common in the b2b market in the UK.
And yes, I am talking about real, honest-to-god legitimate businesses, with reputations; as well as the countless spams from others with differing levels of legitimacy (all the way from slightly dodgy telecoms resellers, through SEOs all the way down to the pill peddlers we all know and 'love').

When I chaired a society at university I got loads of spam (my address was listed on the university's website as the contact for the society), and so did the society's email address. Most of them would be asking me to spam everyone in the society with offers for summer "charity" work and so on. I usually replied with this, which scared them off:

This is a spam.

Quoting from http://www.ico.gov.uk/what_we_cover/privacy_and_electronic_communications/the_basics.aspx [ico.gov.uk],----[ Electronic mail ]| Electronic mail is emails, SMS (text), picture, video and answer-phone| messages. Electronic mail marketing messages should not be sent to| individuals without their permission unless all these following criteria| are met:|| 1. The marketer has obtained your details through a sale or negotiations| for a sale.| 2. The messages are about similar products or services offered by the| sender.| 3. You were given an opportunity to refuse the marketing when your details| were collected and, if you did not refuse, you were given a simple way to| opt out in every future communication.`----

You have met none of these criteria. If I receive another message from you I will report your business as sending spam.

Yes, all the time. One of the worst sites I've seen for it is this [globalspec.com]. It's actually a pretty useful site with some good information and good tools for searching for a specific part, but when you look at any of the parts from a search, they send your e-mail address to that company and that company often spams you.

I guess technically I have responded to spam, as I sometimes respond to 419 scams to mess with the scammer. I respond pretending to be interested in whatever they said, then delay as much as possible in order to waste time. Maybe even reply with obviously fake documents (if they look too real, they could be used again against an innocent person in another scam). The idea is to waste as much of their time as possible, but without wasting much of your own time.

The entire premise of this article depends on the definition of "spam." One could mark a legitimate business' unsolicited email as spam, but that doesn't mean that purchasing a product because of the material in one of those emails is newsworthy.

Nigerian princes in peril are another matter, though.

If we definte spam as excluding legitimate businesses, who gets to define what's legitimate and what isn't? OK, so 419 scammers aren't legitimate, but they make up a small minority of the spam I get. And I'll gr

You'd be surprised how often people get upset about junk mail they're receiving, when in reality, they receive it because when they made a legitimate purchase a year or so previous, they left some option on the form check-marked that said "Allow us to contact you about our sales and other information."

It's also VERY often the case that once a legitimate business has your email address, they proceed to "spam" you with advertising on a regular basis, until you click someplace to opt out. Unfortunately, so ma

I believe you're right pointing out that "spam" and "scam" are different, but people have now tied those two really tight.

As for replying to spam? I'm guilty. Before I knew it wouldn't work, I replied several times asking them to remove me from their lists. Turns out, little attention they pay, unless for using your address to annoy you even more.

But yeah, I've replied to them as I believe "remove me from your list" falls into that category. Shame on me.

Don't bother reading Cele Castillo's book Powderburns [powderburns.org]. He was a DEA agent in Central America during the 1980's who personally witnessed the CIA and Contras shipping drugs to the US from Ilopongo airport.

Don't bother reading Gary Webb's Dark Alliance.

Don't bother finding out that in 2007 a CIA torture jet crashed in Mexico with 3.7 tons o [narconews.com]

I would have liked the article to state which sites sell e-mail addresses to spammers. They would certainly deserve it.

I use unique e-mail addresses for (almost) everything I sign up for, and I've never gotten a spam message from any of those unique accounts. I started getting a lot of spam when I first posted to LKML, which is published online.

Ditto for me. I've been using that gmail plus-addressing feature for awhile now. At least a year. Since then, every site I have gone to either got a custom address, or a separate throwaway or fake address if their address validator was awful enough to reject addresses with +'s in them (probably half of them). Some occasional spot checking on my spam filter has shown no e-mail arriving to any plus addresses.

Some occasional spot checking on my spam filter has shown no e-mail arriving to any plus addresses.

This may not be completely surefire, because spammers might strip out the +stuff at the end of the address. In practice, it should work for now, because according to research like this article, spammers are lazy.

If in the future your main e-mail address starts to get spam, you could set your account up so that "address+real@gmail.com" goes to your inbox and anything addressed to just address@gmail.com is assumed to be spam. (Obviously, you only give out example+real@gmail.com to those you trust.)

For sites that reject +-address email addresses through gmail, use dots. It's not quite as clear, but if you don't have to do it very often it works. Gmail sees u38cg@gmail.com and u.38.cg@gmail.com as the same address.

The data may be skewed: users may consider offers from genuine mailing lists 'spam' whether they've signed up to it intentionally or not, when completing a survey. This more relevant stuff is more likely click-worthy. The survey doesn't necessarily make this distinction and account for it.

Otherwise, it is somewhat believable as many individuals new to the internet learn many lessons the hard way.

Mind you, "but another 13 percent said they simply had no idea why they did it; they just did." explains why I still receive 'send this to 10 people or you will has bad luck' from otherwise intelligent and educated people.

I'm not sure a distinction is necessary to this study. That level of detail is certainly useful in a different context, but if spam merely meant 'advertisement via email they were not expecting' it would be equally valid.

Lets face it, few if any of us actually say 'yes, please annoy the hell out of me as I am allergic to Google'.

Hey! I got a great deal on penis enlargement, breast enhancement, and this greasy stuff you rub all over your body to increase your sexual desirability scent! Works great! Now if I could only get the dog to stop sniffing me, all the women would be barking at my door!

Sad to say, one of the places that I buy "generic viagra" from would not return my money when it did not work as well as the "super size me" products... I will just have to wait for my money from the deal I made in Nigeria to counter that loss.

You do realize that a Baylor University study indicated that those with conservative Christian beliefs are less "credulous" than the general population ( http://www.baylor.edu/pr/news.php?action=story&story=52815 [baylor.edu] ). They considered belief in the following to represent credulous thinking: dreams, Bigfoot, UFOs, haunted houses, communicating with the dead and astrology (Ch. 15, "Credulity: Who Believes in Bigfoot").

Well, considering that neither I nor the linked Slashdot submission use the word "Darwinism" and defend it in any way; that the word "Darwinism" is not what "is usually meant" by evolution; and that the word "Darwinist" is today mostly used by creationist fanatics as a derogatory and/or pejorative label for non-creationists, it might be safe to assume that you are an off-topic troll. How's that for a response?

I simply think that considering the stubbornness of some people with respect to a well-researched

It's more likely the most shy and/or secretive ones responding. Typically spammers are selling something people don't want to be known to purchase, and they may even be reluctant to enter an inflammatory keyword into Google. If I had any thoughts of a political career, for example, I wouldn't want any chance of an "anal intruder" search tracing back to my IP. That's not the case, I proudly get mine from Walmart.

I get a crapload of spam from the UAE (Dubai) and the only way I can think about how my email got harvested was that I once wrote a letter on an Al-Jazeera forum mentioning that not all Americans want to invade Iraq when the current Gulf War started.

I've noticed multiple resellers have my email now are are even soliciting me to buy their spam list as they are spamming me.

What is most annoying is that I am now getting emails that state that "this is not a spam email because is it from blah blah".

I get a crapload of spam from the UAE (Dubai) and the only way I can think about how my email got harvested was that I once wrote a letter on an Al-Jazeera forum mentioning that not all Americans want to invade Iraq when the current Gulf War started.

You know, the USA should invade the UAE to stop that sort of international scamming.

Every so often I go through my spam folder, it's pretty funny. I've noticed lately that a lot of them don't even have links, it's like they're just trying to annoy us. For example, I received this yesterday:

Forge your huge love sword

and that was it. No link, no pictures. My theory is I have a really good friend who goes through a whole lot of effort just to make me smile. Either that, or it's an insult on my manhood designed to make me feel inadequate.

Every so often I go through my spam folder, it's pretty funny. I've noticed lately that a lot of them don't even have links, it's like they're just trying to annoy us. For example, I received this yesterday:

Forge your huge love sword

and that was it. No link, no pictures. My theory is I have a really good friend who goes through a whole lot of effort just to make me smile. Either that, or it's an insult on my manhood designed to make me feel inadequate.

A lot of spammers aren't very smart. They use pre-built off-the-shelf tools, and sometimes they click the wrong button and end up accidentally sending a mal-formed message to three million people by mistake. Sometimes there's a bug in the software, or it's just misconfigured. It doesn't really matter to them - after all, it doesn't cost them anything to send the spam, because they're stealing resources from others.

I got this username and email as an experiment. I have only posted it publicly on Slashdot and have not used it for anything else. I don't even check it. I just checked. I have 5,000 messages in my spam folder. And gmail deletes them after a month. So posting my email publicly on Slashdot only is resulting in 5,000 spams a month.

What disturbs me isn't the spam that comes from botnets of infected Windows PCs on residential broadband connections. I expect that. What bothers me is the spam that comes from dedicated servers colocated in actual datacenters, with static IP addresses, domain names, reverse DNS properly configured, and valid SPF records.

For example, these are apparently all owned by one spammer, that I've received spam from in the past few days:mx5.mit9zinger.commx2.finogento.commx1.finogento.commx4.pinchmir.commx1.travel1soe.commx2.kintopuzi.commx1.petchin.commx1.abaganawena.commx1.tineraset.commx2.kimbolimbo.commx2.greenzetrain.com

From a technical standpoint, everything looks legitimate. Because they offer an apparently-working opt-out mechanism (I'm sure it really just marks your address as "confirmed", but you'd have to come up with a way to prove that) and they're not spoofing any headers, they're probably not in violation of the CAN-SPAM Act.

Simple, did you try their unsubscribe form with a fake email address? It doesn't work. (broken path in the form action)
They are based in Baltimore (their servers at least). Their hosting company is http://dynamicdolphin.com/ [dynamicdolphin.com]
What are you waiting for? You could make some money:-).

I have two email addresses on yahoo.com. One is a jumble of letters and numbers which I use to for access to things I have no desire to ever see again. Dump things like "we'll email you the download link". That email address, which has been around for 7+ years gets the odd spam here and there.

The other yahoo.com email address is used only to enroll in a number of Yahoo groups and never given out or used for email. (I'm a ham and for whatever reason the ham community has fallen in love with Yahoo groups.) This second email address receives between 100-200 spams per week.

Keeping in mind that the second email address has never been given out, where did the spammers get my email address from? I can only assume that either Yahoo sells email addresses used in groups for "targeted advertising" or that they have a huge security hole through which the leak Yahoo group email address.

We've known for quite some time that spammers pick up email addresses by trolling the internet. With spam so insanely cheap - and highly profitable - to send out, there is no incentive for the spammers to select for email addresses that are known to be read regularly (or ever).

If they can harvest 1,000 new addresses in a few minutes of bot-crawling the internet, versus a few dozen by buying them from someone with a form somewhere, the choice is pretty simple.

The take-home message of this is something we've known for quite some time - don't let your email address out on public pages.

I'll shamelessly admit it: I've used Craigslist Personals to help me find dates. Before the entire hullabaloo regarding "erotic services," it was actually possible to get a few good, quality dates off the service. In fact, I was doing better on CL than other highly-regarded dating services, often using the same techniques! Spam was prevalent, but was often easy to spot and avoid.

Recently, I had a brief falling out with my girlfriend and browsed through CL to see other people. I was upset, but not surpris

I have used it as well, with great success. (I am painfully shy in real life.)
I have put up a couple of ads lately and the email harvesters have found a new technique. They reply to your ad, if you respond to their mail, you are on their list. But they use the same text in the message every time.:) How can they expect anyone to fall for such a message?

"Kind of sucks that it's almost impossible to get dates through Craigslist now, though."
Try http://www.plentyoffish.com/ [plentyoffish.com]

You would figure with all the crazies on the internet (that we MUST protect our children from), that sooner or later, some hot-head with a gun and enough technical know-how to track down a spammer would start a spammer hunt and start mowing them down.

It's ONLY when we have a spammer-serial-killer that spammers will stop. Suing them doesn't work, there's a guy out there that makes a living just suing spammers in small claims court. Laws and even government crackdowns don't work. It will only be when spammers live in fear for their lives and the lives of their families that they will consider another line of work.

What's annoying is that they've gotten so adept at hiding their identities, they are probably the only people on the internet who don't get spam, furthermore, they are probably the least likely to be targeted by the govt-nannyism of the web.

All in the name of selling snake oil. PT Barnum wouldn't believe how true his law is or that it's grown by a factor of a 1000...

I seem to recall stories of this happening in Russia. I think the spammers pissed off the Russian mob and were taken out.

Now really, I think there is a long line of not-so-nice people I'd piss off before messing with the Russian mob: the Italian mob, drug cartels (as long as I'm not going to Mexico any time soon), Dick Cheney...

If we can shoot the spammers, can we then go after the dolts on tv selling snake oil as well?

I'd go after the guys who sell:
Get Rich in Real-Estate books
Medical Crap that people don't want you to know books
Spray this crap in your dog dish to make them feel better
FreeCreditReport.com
FinallyFast.com
Get-out-of-debt
Send us your gold
Class-action-law-suit for some health condition
and any kind of exercise equipment.

I was Joe Jobbed some years back. It was the highlight of my internet year. Seriously, it gave me giggles for a few days. I had a few "fuck off" replies but most were of the "take me off your list" type. One was from the CEO of NTL, or more likely his PA. Giggles, like I said. I responded to each email explaining what a Joe Job was, but no one replied back after that.

I was Joe Jobbed some years back. It was the highlight of my internet year. Seriously, it gave me giggles for a few days. I had a few "fuck off" replies but most were of the "take me off your list" type. One was from the CEO of NTL, or more likely his PA. Giggles, like I said. I responded to each email explaining what a Joe Job was, but no one replied back after that.

Here's the tricky part: How many emails "responding" to the Joe-job victim are emails from the spammer trying to validate the Joe-jobbed address?

Actually I RTFA'd (that makes at least two of us !) and while it doesn't say that those 12% responded, the percentage of users that clicked is about 52%. The relevant quote:

Slightly less than half (48 percent) said that they have never clicked on a spam e-mail. That's the good news, but that means the other half have clicked on or responded to spam. But why? The answers will undoubtedly horrify you. A full 12 percent said that they were interested in the product or service being offered -- those erection d

The idea that 12% have responded and tried to make purchases is ridiculous. Take a look at the paper I just linked. If you scroll towards the end, you can see the results of the experiment they did. Out of about 350,000,000 e-mails they observed being sent out, they only had about 10.5K (0.00303%) actually click on the link, and of those, only 28 (well below 0.00001%) people tried to make a purchase.

Now, granted, the poll included historical data, since they asked if people had ever clicked on a link or else tried to make a purchase before, but come on. 12%? Maybe back when spam was new or something, but as another person said earlier, almost all of us are "not retarded" at this point, or at least not stupid enough to go clicking those links. I wonder what percentage of people have actually clicked on spam links in the last year, as opposed to in their lifetime...

Is the one developed by the hard working folks at the OpenBSD project whom have been studying spam for well over 5 years. They came up with something that is devlishly clever called OpenBSD Spamd. Spamd is basically a fake smtp engine that sets the TCP RWIN to 1. By doing this, it causes the transmission speed to slow to 1 byte per second. This can cause a backlog or even crash the spam spender. Fight back, don't filter! You can even create a serious of spam trap addresses, publish them, and reverse harvest the IP addresses of the spam senders. Check out http://www.openbsd.org/ [openbsd.org]

I use a greylisting SMTP proxy [sf.net] (that I wrote myself). It eliminates about 90% of all spam before I even have to download it. Spamprobe takes care of the rest. It's only on very rare occasions that spam ever makes it to my inbox, and there are practically no fals positives; and I've been using my email address for close to a decade now, on Usenet, on mailing lists, on crappy forums (like this one), and have never bothered to shield it or cloak it. Spam just isn't a problem for me any more.

I submitted a rebate form to MSI. They submitted the address to multiple spam sources.

No, I'm not guessing. I got IP addresses from helpful people at a couple of the companies, and it correlates with the day they found out I was suing them for refusing to honor the rebate. So, that's one way it can happen.

That was my thought too. People responding to 12% of all spam is quite a bit different than 12% of people having every responded to a spam email. A 12% response rate for an email marketing campaign is enough to make any marketers nipples hard enough to cut glass.